Unknown Directory Creation???

[jreedar]

Hi, I'm running Windows 2000 with service pack 4, all updates and patches applied. I have a firewall and Norton Antivirus corporate edition running at all times, and I've run Adaware and Spybot search & Destroy and everything shows I'm clean. However, on one of my partitions that I have MP3 stored I noticed two directories with no names, so I opened one and here's a listing of the entrire tree structure of the directory: "K:\ \ \ \con\~\com4\ScanneD \com8\by \com6\Noname\com2\TaGGeD \com8\by \lpt2\Noname\con\ \with Neo1907´s PuB-tAgGeR \lpt3\uPPed \com8\BY \com5\Noname\com6\StuFF"

There is nothing in any of the directories and as you can see the first three have no names. I can not delete them or format the partition. Based on some of the names of the directories it looks like a virus, but I can find anything? Also I ran error checking on the partition after rebooting and it found nothing wrong.

If anyone has any ideas or seen this before please help. If you need anymore information please let me know.
Thanks in advace.

 

[bcastner]

It is called 'pubbing' and someone was using your machine as an anonymous FTP Host.

cf. for example,

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&th=dd256013aa6b8562&rnum=9

 

[bcastner]

By the way, what firewall do you have? This should not have been possible.

 

[jreedar]

I'm running Tiny personal firewall. Any ideas on how to delete these directories? I'm going to delete all set rules I have on my firewall allowing incoming access, I checked it and all imcoming rules do look valid but somehow someone got in.

 

[bcastner]

Take ownership.

This article refers to XP but the steps are identical in Win2k:

http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Then delete it.

 

[jreedar]

Hey thanks bcastner, what I have already done was remove my files from that share and then delete that partition and repartion it using partion magic. So I'm OK now, I did find 1.5 GB of data that had been FTP'd to my machine and saw how it was done through checking my FTP logs. That was my fault and I'm now locking it down and not allowing anonymous access and setting up only a specific account that has only access to my FTP directory. This shouldn't happen now - but I'll be watching for it again if it does.

 

[bcastner]

Glad you got it sorted. Most of this activity is benign, it is not an attempt to hack your machine or do anything destructive. It is a bunch of people looking for an "anonymous" FTP site to use for as long as it is not discovered.

I am not condoning the activity, just telling you that it is not in and of itself an attempt to harm you.

Just curious, what was in the 1.5 Gigabytes? Did you recognize any of the content? They are usually .rar files.

 

[jreedar]

After doing a little research I found out exactly what you just said. I was just mad at myself for leaving it open and for naming one of the directories they used so basic and easy to guess it was named 'music' so it wasn't hard to find. My other directories were named not as generic so those weren't used. You are right they were all .rar files, the directories were split into 'Appz' and 'Mp3s'. The apps. were '3dmax', 'Adobe Photoshop 7.0 Duetsch', and 'Ciname4D'. The MP3s contained on album called: "Beginner_-_Blast_Action_Heroes_(by hypnotic)". I actully opend it and listend to a few songs they they were in German.

I'm just glad nothing harmful was done and I learned a good leason from it. Thank for your help and quick replies.

 

[bcastner]

Too bad you did not get anything usefull to you.

Best,
Bill Castner